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Introduction 


Research questions: 


eCan a Smart TV be a key component in a digital forensic 
investigation? 


eIs it possible to acquire data from a Smart TV? 


eCan a Smart TV contain relevant data? 


Material and Methods 


eo Literature study 
Selection Smart TV 
Data acguisition 
Data analysis 


“System information and settings 


“Apps 

“Web browsing 

ePhoto and multimedia files 
“External media 

“Cloud services 

“Channel information 


Click Distribution by LCD-TV Manufacturer (Q4 2011-Q4 2012) 
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eChip-off 

eDe-soldering of eMMC chip 
eRead out with 

eNFI Memory Toolkit II 

eThis method works on 
almost all embedded devices, 
the problem after chip-off is 
crypto. 


Data Acquisition: the Five-Wire Method 


e More and more embedded NAND:Flásh e-MMC* 
systems use eMMC chips , 

e eMMC is roughly the same 
as an MMC card 

e Only three signals + Power 
Supply required to read 

e Controller, a disk image is 
created, no rough copy of 
NAND 


Managed NAND 
Controller 


* Bad Block Management 
* Wear levelling 


eMMC 4.41 
Interface 
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Data Acquisition: the Five-Wire Method 


Does not work yet. 

Probably because there are also other chips which 
start-up and draw current. 

Can do it with many other devices 


Data Acquisition: App 


e Smart TVs are 
ordinary computers 

e Often work with Linux 
operating system 

e Rooting 


Data Acquisition: App 


eSamyGO forum on the Internet 
eMany opportunities for "rooting" 
ePossible to use Smart TV as a BitTorrent client, etc. 


Data Acquisition 


The Five-Wire Method 

Quick Method, more research is needed, repeatable 
Chip-off 

Takes longer time, repeatability is getting better 


App 
Fast method, but does not work on all firmware 


Removable Soldered Memory 


Test device now equipped with removable media by using a BGA 
adapter. 
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FILE SYSTEM ANALYSIS 


File System Analysis 


Squashfs 
*Read-only 
“Software of Samsung Open Source Release Center 
«Adjustment image authentication and compression 


Samsung eMMC 
“Samsung chip oriented file system 
“Like a BTRFS variant, journaling, snapshotting 
“Magic '1eMMCFS' 
Partition redundancy 
“Some partitions have the same size 
“Used to reset software 


File System Analysis 


flash device name flash device flash image flash upgrade flash partition flash mount 


size .name _type _map .path 
/dev/mmcblkOpO 524288 onboot.bin OTHER BOOTLOADERO NONE 
/dev/mmcblkOpi 524288 u-boot.bin NONE BOOTLOADER1 NONE 
/dev/mmcblkOp2 524288 secos.bin USER SECOSO NONE 
/dev/mmcblkOp3 524288 secos.bin USER SECOS1 NONE 
fdev/mmcblkOp4 0 ex partition NONE NONE NONE 
/dev/mmcblkOp5 524288 seret.bin USER SERETO NONE 
/dev/mmcblkOpe 524288 seret.bin USER SERET1 NONE 
/dev/mmcblkOp7 7340032 ulmage USER KERNELO NONE 
/dev/mmcblkOp8 5767168 rootfs.img USER RFSO NONE 
/dev/mmcblk0p3 7340032 ulmage USER KERNEL1 NONE 
/dev/mmcblkOpi0 5767163 rootfs.img USER RFS1 NONE 
/dev/mmcbikOp11 8192 signO.bin NONE SECUREMACO NONE 
/dev/mmcblkOp12 3192 signi.bin NONE SECUREMAC1 NONE 
/dev/mmcblk0p13 8192 VD-HEADER NONE NONE NONE 
/dev/mmcblk0p14 3145728 NONE NONE NONE mtd_drmregion_a 
/dev/mmcbikOp15 3145728 NONE NONE NONE mtd_drmregion_b 
/dev/mmecblkOp16 157286400 NONE NONE NONE mtd rwarea 
/dev/mmcblkOp17 367001600 exe.img USER EXEO mtd_exe 
/dev/mmcblk0p18 367001600 exe.img USER EXE1 mtd exe 
/dev/mmcblkOp18 419430400 rocommon.img USER CONTENTO mtd rocommon 
/dev/mmcblkOp20 419430400 rocommon.img USER CONTENT1 mtd rocommon 
/dev/mmcblkOp21 104357600 emanual.img OTHER NONE mtd emanual 
fdev/mmcblkOp22 157286400 NONE NONE NONE mtd contents 
/dev/mmcbiköp23 10485760 NONE NONE NONE mtd swu 
/dev/mmcblkOp24 1870979072 rwcommon.img OTHER NONE mtd rwcommon 


Data Analysis: System and Network Information 


: Net LL 
eDevice name etwork Status 


eConnected devices Wired network and Internet connection settings complete. 


: | MAC Address 50 : 85 : 69 : 4b :bf : 25 
Network information à AN IP Address 192. 168. & 4 
eSmart functionalities em ur? - 7.00 

= - x DNS Sérvér “492.168. WA 


Apps Version 


Memory Usage . 543.21 MB /1.63 GB 


Unique ID J. 
Netflix ESN ZZ 
rer 


va i 
LOSE ii 


Data Analysis: System and Network Information 


eSystem information: 
“Serial number 
«Model 
«Brand 
«Unique ID 
*etc. 


eNetwork information: 
«Information about network name 
-IP-addresses 
Bluetooth devices 
-MAC-address 


Data Analysis: Apps 


eFacebook 
e Twitter 
eYouTube, etc. 


You 


Data Analysis: Apps 


eName 
eDate 
eScreenshots 


eUser related information 
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Data Analysis: Apps 


Fa 
Name 


| Y2B 


Date modified 

24-09-2014 16:02 
24-08-2014 16:02 
24-09-2014 16:02 


| | 100001756376377_637236553011551 
| | 100001756376377 637236553011551Dieter Baar 
| | 100002591493138_591328540963524Ä-Jan Peter 


| | 100007871257058_1405149866424042 


Type 

File folder 
File folder 
File folder 
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Data Analysis: Apps 


"widgetname":"Facebook","vendor":" Samsung", 
"install_date":" Wed, 19 May2010 15:57:57 --0900” ," 
account id":null,"login token":null,"external cp. app 
":true,"sso id ":" test? hotmail.com", 

"is logged in":false,"is installed":true,"is activated":true 


MIS. init state":true,"is latest verion" :true, 

"installed version" :" 1.18128" "widget type ": null," 

name": Twitter" ,"widgetname":" Twitter", 

"vendor":" Samsung” "install date”:” Sat, 13 Mar 2010 11:31:03 
+0900", 


Data Analysis: Web Browsing 


eVisited websites 

eWeb history 

eInformation about search machines 
eBookmarks 

eCookies 

eetc. 


Data Analysis: Web Browsing 


settings.db located in p24/webkit/WebBrowser. 


eSQLite database 
eContains 14 tables 


Relevant tables: 
eFullBrowserHistory: 
efullBrowser HiddenHistory: 
efullBrowser Bookmark: 
efullBrowser Search: 


Data Analysis: Web Browsing 


URL 
http://nl.msn.com/?pc=SMTV 
http://www.google.nl/ 
http://www.google.comj 
http://www, facebook. com/ 
http://www. youtube.com/ 


http: //www.amazon.com/ 


| 


Title EnterTime DeviceName E 
Hotmail, Messenger, 1970-01-01 Local 


http://www. youtube.com/watch?w=CU4NFfR7sRg Kampioen - Soufiane| 1970-01-01 


Amazon.com: Online 1970-01-01 | Local 


Data Analysis: Picture and Multimedia Files 


eThe file .CM.db located in p22 

eSQLite database 

eContains 20 tables 

eInformation about audio, pictures and video files 
e\When files are opened, played etc. 


Relevant tables: 
ePhotoTable 
eMusicTable 
eVideoTable 
eFileTable 
ep22/RecentlyPlayed contains files with .mta extension. 


Data Analysis: Picture and Multimedia Files 
Table: Ey 


| TITLE DATE HEIGHT MAKER. 
| 1 3IMG 0376 1304734357 2448 iPhone 5s 
2  1JMG 0371 | 1404734281]  2448|iPhone Ss 
3  3JMG 0380 | 1404734417]  2448liPhone Ss 
|4 5IMG 0378 | 1404734390|  2448/iPhone Ss 
|S  31MG 0374 | 1404734202)  2448/iFhone Ss 
SEE OC 01105 
|7  20MG 0373 | 1404734288|  2448liPhone 5s 
|8  11MG 0375 | 1404734356| 2448 iPhone Ss 
|9  7|MG 0368 | 1404734256| — 2448 iPhone Ss 
masc | umm — susc» 
11 41MG 0377 — | 1404734379| 2448 iPhone 55 
12  3|IMG 0370 1414734277 2448 iPhone 5s 


Data Analysis: External Media Artifacts 


eDevice0013.db located in p22 
eSQLite database 

eContains one table TABLE DEVID 
eInformation about USB flash drives 


Database Structure | Browse Data | Execute SQL 


Table: |TABLEDEVID v) | 9, 
ID — 0EVID DEVTYPE = EXTTYPE  MODELNAME WARITABLE PARTITIONINDEX PARTITIONKEY USERID REGISTER 
| 1 1404825533 0 102DataTraveler 3.0 | 0 | 


Data Analysis: TV Channels 


ep16/map-AirA, map-AirD, map-CableA, map-CableD, map-SateD 
ep22/.EPG.db; SQLite database and contain Electronic Program 


Guide 
eDue to time constraints not further investigated 


Database Structure | Browse Data | Execute SQL 


Table: |ProgramTable MILLS 
ID PROGRAM ID CHANNEL ID START TIME CHANNEL NUMBER CHANNEL NAME LANGUAGE TME GENRE ID DURATION 


Data Analysis : Cloud services 


URL 

Pictures 

Videos 

eUsername 

eetc., 

url stamp 

1 — https://www.dropbox.com/ajax captcha login J PRES 
2 http: //noticefile.samsungdoudsolution.com/Front/NoticeAll?cı| 1404998392 
3 https: //www.dropbox.com/ 1/oauth/authorize?oauth_token=| _ 1405000446 
4 https://www.dropbox.com/home — N | 1405001971 
5 https://www.dropbox. com/ 1/oauth/authorize?oauth_token= | 1405002037 
6  |https://www.dropbox.com/ 1/oauth/authorize?oauth_token=| 1357005770 


Conclusion 


eA Smart TV is actually a computer and can be investigated 
with the same forensic toolset 

eAcquiring data is possible 

eA Smart TV can contain relevant data 

eRelevant information is usually saved in SQLite databases 
eMalicious users can abuse a Smart TV for viewing child 
pornography, communication, botnet, etc. 


Future 


eFurther investigation of the five-wire method 
eInvestigate other makes and models Smart TV 
eExtensive data analysis research 

eDevelop an app for acquiring data 

eMake memory dump 

eAnalyse network activity 


Questions 


